3.11 %windir%/system32/services.exe oddity

D+ always asks to allow that exe to modify the registry root. For some reason it says no applicable policies are predefined, all I can do is allow the one request. If I later go and change that policy to Windows System Application, it will ask me again.

The problem lies in how the app is identified. %windir% is something you shouldn’t see in a D+ path. Once the app is manually added with the correct path the problems disappear. This alert was not caused on 3.10 last version. I am using the same rules I have been using for an year. I wonder if other apps that identify themselves with %variables% in their command line can do this aswell.

Hi, this is by design, services.exe is critical app. and therefore alert logic is different for it.

BTW you can see explorer.exe policy also use %windir% variable and works good.

I looked for the rules and indeed found a few predefined policies from COMODO that use %windir%. So if the cause is not windir then why did this so suddenly and oddly happen with services.exe? Is it normal to have the “Use a predefined policy:” category grayed out saying no predefined policies can be used for this request? This is the first time I ever see that.

This is internal behavior defined by dev’s you don’t have control over it.

Egemen explains a bit about it here for rundll32.exe: